“GitHub Desktop automatically clones with the recursive option by default.”
A carriage return character in a .gitmodules file breaks Git’s security model wide open. Git strips carriage returns when reading config but doesn’t quote them when writing, so a path changes after validation. That lets an attacker write submodule contents anywhere on the filesystem, including into .git/hooks for arbitrary code execution. The fix is one line. The vulnerability is devastating. Clone an untrusted repo with –recursive and you’re owned. GitHub Desktop does this by default.